[Solved] Setup WireGuard connecting two networks

Installing and Using OpenWrt Network and Wireless Configuration
1

Hello,

I am having trouble getting WireGuard to connect two of my networks (replacing a working, yet cumbersome OpenVPN solution). Both networks are on dynamic IPs and have DDNS set up for them.

I followed the tutorial on https://danrl.com/blog/2017/luci-proto-wireguard/ [Edit: I had the older, outdated tutorial URL here, I followed this newer one though] which seems straightforward enough but only describes one side of the setup. Following the tutorial, I set up the WireGuard interface and it seems to work fine. I opened UDP 51820 on router 1 and, for good measure, on router 2 too.

My setup is as follows, using placeholders for IPs and keys:

  • router 1 is the edge router on network 10.0.0.0/24, IP 10.0.0.1, WireGuard interface 'wg0' is on 10.64.0.1
  • router 2 is the edge router on network 10.1.0.0/24, IP 10.1.0.1, WireGuard interface 'wg0' is on 10.64.0.2

router 1, /etc/config/network:

config interface 'wg0'
	option proto 'wireguard'
	option private_key '<router 1 private key>'
	list addresses '10.64.0.1'

config wireguard_wg0
	option public_key '<router 2 public key>'
	option route_allowed_ips '1'
	list allowed_ips '10.64.0.0/24'
	list allowed_ips '10.1.0.0/24'

router 2, /etc/config/network:

config interface 'wg0'
	option proto 'wireguard'
	option private_key '<router 2 private key>'
	list addresses '10.64.0.2'

config wireguard_wg0
	option public_key '<router 1 public key>'
	option route_allowed_ips '1'
	option endpoint_router '<router 1's DDNS>'
	option persistent_keepalive '25'
	list allowed_ips '10.64.0.0/24'
	list allowed_ips '10.0.0.0/24'

My idea is that router 2 should try (and upon disconnect, retry) to connect to router 1 and establish the tunnel between the two networks.

Yet when I look at router 2, I only see the following:

root@router2:/tmp# wg show
interface: wg0
  public key: <router 2 public key>
  private key: (hidden)
  listening port: 51820

peer: <router 1 public key>
  endpoint: <router 1's correctly resolved IP>:51820
  allowed ips: 10.64.0.0/24, 10.0.0.0/24
  transfer: 0 B received, 16.62 KiB sent
  persistent keepalive: every 25 seconds

Never any handshake, and never anything received. Similarly on router 1. Even without the WireGuard interfaces assigned to any firewall zone (the tutorial never did that either), the tunnel should at least connect, no?

What am I missing?

Also, I looked at trying to at least connect to demo.wireguard.io, but I didn't manage to translate the demo shell script into a meaningful OpenWrt/UCI configuration.

1 Like
2

A quick, not very enthusiastic update: No matter what I did, I could not get WireGuard to connect. I feel like there's some very basic misunderstanding on my side, but I really don't know where I'm wrong.

In the meantime, I resorted to my OpenVPN-based solution which ... just works out of the box.

3

I've got wireguard running between 2 LEDE routers so it does work. The only thing that I think I've done differently is I added the endpoint router option in both configs.

1 Like
4

But that can't possibly be a requisite ... If it were, you could never use WireGuard "on the go". :confused:

Can I bother you to compare your configuration against mine? Did you do something else to the firewall, or assign the WireGuard interface to any existing or new firewall zone?

1 Like
5

Yes, I agree. However, as I'm using it to connect two fixed locations I've not really messed around with it too much after I got it working.

[quote="takimata, post:4, topic:4215"]Can I bother you to compare your configuration against mine? Did you do something else to the firewall, or assign the WireGuard interface to any existing or new firewall zone?
[/quote]

Firewall-wise, I added it to the existing LAN zone but haven't opened up any additional ports or anything.

The configs for the two routers are:

Router 1:

config interface 'vpn'
        option proto 'wireguard'
        option private_key '<router 1 private key>'
        list addresses '<router 1 public IP>'
        option preshared_key '<Preshared key>'
        option listen_port '51820'

config wireguard_vpn
        option public_key '<router 2 public key>'
        list allowed_ips '192.168.1.0/24'
        list allowed_ips '<ipv6 range>'
        option route_allowed_ips '1'
        option endpoint_host '<router 2 public IP>'

Router 2:

config interface 'vpn'
    option proto 'wireguard'
    option private_key '<router 2 private key>'
    list addresses '<router 2 public IP>'
    option preshared_key '<Preshared Key>'
    option listen_port '51820'

config wireguard_vpn
        option public_key '<router 1 public key>'
        list allowed_ips '192.168.0.0/24'
        list allowed_ips '<IPv6 range>'
        option route_allowed_ips '1'
        option endpoint_host '<router 1 public IP>'
6

That's really the only difference I recognize, otherwise your configuration looks identical. I will try that.

7

Any news on that? I think lede won't even load the kernel module (i can't find it in lsmod).

For those were wireguard works: can you see wireguard module when you list modules using lsmod?

8

It shows up in the list on my router.

9

I solved this by opening port 51820 on both lede routers.

on etc/config/firewall

config rule
option name 'Wireguard'
option src 'wan'
option proto 'udp'
option dest_port '51820'
option target 'ACCEPT'
option enabled '1'

1 Like
10

Are you able to use Wireguard on the go? Or does the setup require the IP of both locations to be entered?

11

I entered the IP address on both locations. I'm using this as a lan-to-lan vpn. haven't tried on the go.

1 Like
12

I have the exact same problem as @takimata with trying to connect two of my LANs.

I too followed the danrl.com tutorial.

I'll happily post config file info if necessary, but my situation is so similar to that of @takimata that at this point it seems superfluous to me to do so.

I have slightly different results though. When I ping, I get no packets received. When I try to connect with ssh, I get no response. But (very unexpected to me) I am getting occasional handshakes (shown below as command output of three sequential wg commands)!

allowed ips: 10.0.0.2/32
latest handshake: 2 minutes, 18 seconds ago
transfer: 368 B received, 1.19 KiB sent
persistent keepalive: every 25 seconds

allowed ips: 10.0.0.2/32
latest handshake: 59 seconds ago
transfer: 460 B received, 1.43 KiB sent
persistent keepalive: every 25 seconds

allowed ips: 10.0.0.2/32
latest handshake: 34 seconds ago
transfer: 552 B received, 1.67 KiB sent
persistent keepalive: every 25 seconds

Any thoughts on what's going on here? I'd like to be able to at least ssh into the remote router from the local router. It seems to me like I should be able to do that if the wireguard handshakes are succeeding, but that's not what I'm finding.

Thanks for any thoughts.

13

@takimata has not posted in this thread for 7 months...

14

That doesn't make @risole's problem invalid.

And it would help me, too, although I'm not in immediate need for help on it. As I said before, for the time being I helped myself with an OpenVPN tunnel, and that temporary fix became somewhat permanent. I still want to get WireGuard running at some point, though.

1 Like
15

Didn't say it was invalid.

The gist was that since you had not posted in 7 months (resolved/not resolved), it would NOT be superflous to post a similar issue.

I probably should have made that more clear.

By all means, continue.

Thanks for the update.

16

I decided to create a little local setup using two OpenWrt devices, to get to the bottom of this all. And after some tooling around, I actually found the problem. And it's so incredibly simple and/or silly that I could slap myself in the face for not noticing it earlier.

Here it is:

  • While a WireGuard peer connects to port 51820 on another peer by default
  • and the LuCI interface (luci-proto-wireguard) shows a placeholder for the peer's listening port as 51820 if unspecified (suggesting a default port of 51820)
  • a peer does not listen to port 51820 by default. You need to explicitly specify the listening port, otherwise it will be random.

So my "server" configuration was missing:

    option listen_port '51820'

Since it's possible to bring up a WireGuard interface without a ListenPort parameter, I'm pretty sure the random port is default behaviour. So it's a UX bug in luci-proto-wireguard having "51820" as a placeholder, suggesting it would be the default value.

Of note: There seems to be no option to actually prevent a peer from listening to any port. So you might want to set it to a fixed port anyway, to avoid a random port "dangling in the breeze."

4 Likes
17

JFTR: To help others steer clear of this pothole, I raised the issue and submitted a change which has been accepted.

2 Likes
18

Wonderful news @takimata! Thanks for exploring the issue and for sharing your results. I'm not in a position to be able to test this myself right now, but as soon as I am, I'll try your solution and update this thread with my results.

Thanks again!

19

For the sake of newbies, you might wanna fix these port numbers, which don't exist anyway.
But for a newbie they might be confusing.

20

FWIW,

it's now 2019, and I have the same problem still!

I have to setup the peers Endpoint Host on BOTH wireguard interfaces to get a connection!

So nothing has been fixed I guess.Wireguard works out of the box with BOTH endpoint host set. So kinda like both reaching out to each other.

That's a violation of the concept Host-Client, as both must be setup as hosts.